22 June 2018

redefining T-207 checksums

T-207 is a multiplexed two channels "system" and can be connected to several modems therefore it can be found in several FSK waveforms. Since the lack of official documentation it's difficult to say much more about the (former Soviet) T-207: guys from radioscanner talk about "equipment" as a in-line ciphering device, ex DDR STASI archives refer to T-207 as an encryption algorithm; probably the name of the algorithm has been used to indicate the system that implements it, altough its characteristic "checksums" are also recognizable in clear text transmissions.

AFAIK, T-207 has two frame formats:  
14 bits: 2 x 6 bits + 2 parity bits
28 bits: 2 x (2 x 6 bits + 2 parity bits)

Using the 14-bit frame format, the two channels A and B may be splitted as:
1A 2A 3A 4A 5A 6A 1B 2B 3B 4B 5B 6B PP (47.5, 50, 84.21, 94 Baud waveforms) 
or interleaved
1A 1B 2A 2B 3A 3B 4A 4B 5A 5B 6A 6B PP (100 Bd waveforms and CIS-14)
The 28-bit frame format is used in 200 Baud waveforms and supports up to 4 channels, splitted as:
1A 1C 2A 2C 3A 3C 4A 4C 5A 5C 6A 6C PP 1B 1D 2B 2D 3B 3D 4B 4D 5B 5D 6B 6D PP

As said in the previous posts, T-207 detection had to be manually spotted by processing the demodulated bitstream and checking if it matches the criteria described in this post in radioscanner forum: you have to count the number of "1" bits in the first 12 columns then check if the 13-14 bits have a value among the expected ones.
The Octave script shown here has been improved and now it detects the presence of T-207 checksums in a given bit stream and for each permutation of the checksum bits. I run the script against several waveforms and the results are very interesting.
So far, I found two checksum modes termed "3" and "20":

and three waveforms (50Bd/1000, 100Bd/500, VFT 6x100Bd/120)  that can be coded with both the two checksums:

It's worth noting a CIS-14 96Bd/500 transmission which transposrts data only in channel B: it's probably a test since data are in clear-text mode

The Octave script T202_detect.m can be downloaded from:

20 June 2018

(few) logs 23 Apr - 19 Jun

04538.0: ---: Russian Navy, RUS 2044 (CF) FSK 500Bd/1000 "Akula" (30Apr18) (AAI)
04553.5: ZLST: Zoll Leitstelle Cuxhaven, D 2049 USB 188-141A calling ZPRI Zollboot Priwall (30Apr18) (AAI)
06298.7: ---: Unid 1927 USB STANAG-4285 600bpsL modem, sending KG84 encrypted file (01May18) (AAI)
06377.7: ---: Unid 2015 CF, 4481-F 75Bd/850 encrypted tfc (16May18) (AAI)
06562.0: 121303: Unid 1915 USB 188-141A sounding (01May18) (AAI)
06820.0: HN02: Algerian Mil, ALG 2054 USB MIL 188-110 App.B waveform, OFDM 39-tone (25May18) (AAI)
07559.0: ---: Unid 0633 USB 3G-HF 2-way FLSU handshake / HDL+ transfer (29May18) (AAI)
07605.0: 811001: Unid 0753 USB 188-141A sounding (19Jun18) (AA)
07813.0: ANOUAL2: Moroccan Mil, MRC 2005 USB 188-141A, sounding (22May18) (AAI)
08008.0: AK0: Chinese net, CHN 2136 USB 188-141A calling DD3 / propr. MFSK-8 waveform (10May18) (AAI)
08008.0: DD3: Chinese net, CHN 2133 USB 188-141A, calling AK0 (10May18) (AAI)
08054.0: SP0: (should be SP01) Algerian Mil, ALG 0801 USB 188-141A calling FN01 (02May18) (AAI)
08132.0: BP26: Bundespolizei Küstenwache Patrol Vessel 'Bredstedt', D 2143 USB 188-141A handshake BPLEZS flwd by R&S GM-2100 HF modem, adding vessel GPS position to central database using uucp session and R&S X.25 packet connection (06Jun18) (AAI)
08146.0: JBR: Unid 2000 USB 188-141A sounding (07May18) (AAI)
08146.0: MFQ: Unid 1931 USB 188-141A sounding (07May18) (AAI)
08408.2: PBB: Dutch-Ny Den Helder, HOL 1105 USB STANAG-4285 600bps/L, NATO naval broadcast, secured with KW-46 encryption (24May18) (AAI)
08453.0: FUO: French-Ny, F 0927 USB STANAG-4285 600bpsL Async 5N2, "FP DE FUO QSL R 040742Z MAI 18 TIME 0927Z K", "FP DE FUO MERCI BON QUART AR" (03May18) (AAI)
08458.0: DC4: Unid (short for DC418P) 1027 USB 188-141A, calling KC1 (short for KC118P) (09May18) (AAI)
08458.0: KC118P: Unid 0809 USB 188-141A handshake DC418P / 188-110A Serial (08May18) (AAI)
08677.2: EBA: Spanish-Ny 2110 USB STANAG-4285 600BPSL, sending KG84 encrypted msg (10May18) (AAI)
08847.0: DD2: Israeli AF, ISR 1952 USB 188-141A sounding (15Jun18) (AA)
08870.2: ---: Unid 2158 USB STANAG-4285 600BPSL, sending KG84 encrypted msg (10May18) (AAI)
09057.7: A89: Chinese net, CHN USB 188-141A, calling E55 (10May18) (AAI)
09091.0: TAO: (=TAngO) Unid 0835 USB 188-141A, calling PAA (=PApA). Also heard on 8810.0 (14May18) (AAI)
10323.0: HNT: Unid (poss. NATO) 0718 USB 188-141A handshaking ZRO (=ZeRO) / 188-110A Serial follow (17May18) (AAI)
10333.0: RCI: Saudi Air Force Riyadh, ARS 1654 USB 188-141A calling NAI (22Apr18) (AAI)
10333.0: RCP: Saudi Air Force Riyadh, ARS 1612 USB 188-141A calling NAP (22Apr18) (AAI)
10832.8: 1247: Unid (Bulgarian net?) 1544 (CF) CCIR 493-4, calling 1246 (09May18) (AAI)
10935.0: ---: Ukr-Mil, UKR 0845 (CF) F7B mode 100Bd/500Hz in idling & traffic mode (08May18) (AAI)
11050.0: AK01: Algerian Mil, ALG 0801 USB 188-141A calling BW01 (08May18) (AAI)
11173.0: 757: Algerian AF, ALG 0724 USB 188-141A, calling CM6 (21May18) (AAI)
11325.0: ---: Unid 1930 LSB Chinese MFSK-64 10Bd flwd by 4+4 p/4 DQPSK 75Bd, strong reception (29May18) (AAI)
11413.0: JBR: Unid 0800 USB 188-141A sounding (17May18) (AAI)
11413.0: MFQ: Unid 0801 USB 188-141A sounding (17May18) (AAI)
12168.0: ---: Rus-Ny, RUS 1027 (CF) FSK 500Bd/1000 "Akula" (03May18) (AAI)
12410.7: ---: Unid 0817 USB STANAG-4285 600BPSL, sending KG84 encrypted msg (17May18) (AAI)
12460.0: ---: Unid (poss. KLN-Network tests) 1407 USB BPSK 2400Bd bursts, 288 symbols frame (14May18) (AAI)
12595.0: TAO: (=TAngO) Unid net 1011 USB 188-141A handshake OSR (=OScaR) / 188-110A Serial sending Harris 'Citadel' encrypted files (03May18) (AAI) [1]
13419.8: ---: Unid prob. French-Ny 0745 (CF) FSK 50Bd/850 continuous bcast, KW-46 encryption (31May18) (AAI)
13900.0: ---: Ukr-Mil, UKR 0650 (CF) F7B mode 100Bd/1000Hz, tones at -1500, -500, +500, +1500 (29May18) (AAI)
13909.5: ---: Rus-Mil/Gov 0701 (CF) T-207 FSK 100Bd/2000, s/off 0720 (07Jun18) (AAI)
13910.0: ---: Rus-Mil/Gov 0535 USB T-207 6x100Bd/120 VFT system,active channels:1-2-4 (06Jun18) (AAI)
14452.0: LAG: Algerian Air Force Laghaout, Alg 0825 USB 188-141A handshake CM4 flwd by 188-110A Serial (17Jun18) (AA)
14548.2: ---: Unid, prob. UK MoD from Akrotiri Cyprus 0850 USB STANAG-4285 1200bps/L, 1536-bit protocol (17Jun18)
14570.0: ---: Ukr-Mil, UKR 0605 USB 6x100Bd/120 VFT, channels 1,2,3,4,6 in stdby, 5 active, T207 encryption (30May18) (AAI)
14694.7: ---: Unid prob. Finnish Defence Forces 1316 (CF) Panasonic CF-U1 (Nokia M/90), Adaptive MSG-Terminal FSK 301Bd/151Bd 780Hz shift (31May18) (AAI)
15876.0: ---: Unid 0945 (CF) FSK 300Bd/500 blocks, 360-bit period (24May18) (AAI)
16520.0: JAY: Unid 0918 USB 188-141A, calling ZH5. Other heard callsigns: UYS,CMR (13May18) (AAI)
16607.7: ---: Unid 1222 USB STANAG-4285 600BPSL, sending KG84 encrypted msg (20May18) (AAI)

17 June 2018

STANAG-4285 128 bit 1536F protocol (UK MoD?)

I followed these STANAG-4285 transmissions on 14548.2/usb throughout the morning and the first part of the afternoon. Unlike similar S-4285 broadcasts, there is not a continuous broadcast and the messages are transmitted to the need and always using the 1200bps Long interleaver sub-mode.
After convolutional decoding and de-interleaving, the data link protocol exhibits a 128-bit structure but actually it's the 1536-bit TDM protocol (thanks to KarapuZ). TDoA multilateration using 4 KiwiSDRs as sensors points to Cyprus Island as Tx site: maybe UK MoD from Akrotiri?

Fig. 1
Fig. 2

Fig. 3

15 June 2018

STANAG-4539: unexpected data rate of 12800 bps

Long transmission (hours) of STANAG-4539 8PSK 2400 Bd bursts spotted on 14 June morning on 7807.2/usb:  each burst lasting 1680 ms and composed of 13 x 287 tribit symbols frames. It's interesting to note the uncoded 12800 bps speed detected by the 5710-A modem: using 8PSK at a modulation rate of 2400Bd, the the maximum data rate obtainable is 4800 bps (7200 bps on-air) therefore there is something wrong somewhere (a data rate of 12800 bps is obtainable using QAM64 modulation at 2400 Bd). STANAG-4539 is an "auto-baud" waveform, so perhaps they use a modified preamble that misleads the modem.
A run of TDoA multilateration says Cornwall (UK) as Tx location, possibly UK MoD tests from St.Eval? 

Fig. 1
Fig. 2
Fig. 3

12 June 2018

TDMA waveforms (STANAG-4539 Annex D,...) and NILE/Link-22

Recently, some friends and me happened to run into QPSK and 8PSK burst waveforms that are among those described by STANAG-4539 for TDMA operations (Time Division Multiple Access) and that are used by NILE/Link-22. Even if I do not have a direct confirmation, my prudent guess is that it is probably about Link-22 transmissions.

In TDMA mode each user is allowed to transmit only within specified time intervals (Time Slots) so that different users transmit in differents time slots. When users transmit, they occupy the whole frequency bandwidth (separation among users is performed in the time domain). 
According to S-4539 D, a TDMA slot is the high level structure in which information will be transmitted/received and it is composed of a Preamble, a certain number of Media Code Frames and a Guard Time (Fig. 1).

Fig. 1 - TDMA Slot Time
A Media Code Frame is composed of 270 symbols to be transmitted/ received at the modulation rate of 2400 baud and following a certain waveform structure (Traffic Waveform) with different waveforms and modulation. Each Traffic Waveform is composed of a sequence of different DATA blocks and Mini Probe (MP) blocks: the DATA block contains coded user information symbols and the MP block contains known training symbols to be used by the equaliser. There are two different types of PSK modulations: QPSK and 8PSK. The QPSK modulation is used for preamble transmission, QPSK or 8PSK are used for Media Code Frame transmission.
As far as I know, and from S-4539 D, the 270 symbols of a Media Code Frame are arranged according the used Traffic Waveforms (TWF):
TWF1: 4 packages with 48 data and 19/20 probes 
TWF2: 8 packages with 18 data and 15/16 probes
TWF3: 4 packages with 48 data and 19/20 probes
TWF4 to WF7: 1 package with 240 data and 30 probes 8PSK 
TWF?: 3 packages with 60 data and 30 probes 

That said, the  270 symbols (length of the Media Code Frame) sent at 2400 symbols/sec, regardless the used Traffic Waveform, should produce an ACF value of 112.5ms.
The analysis of the signals was therefore targeted at checking that ACF value, the structure of the Media Code Frames (Traffic Waveforms) and some other possible regularities among the signals. Unfortunately I have only the annex D of S-4539 which specifies only the first three Traffic Waveforms while from some advertising on the internet, Fig. 2, one can see that they can be up to 18 (Annex G).

Fig. 2 - STANAG-4539/Link-22 Traffic Waveforms
The lack of official documentation means that these signals can not be identified exactly as Link-22, but there is a good chance that they will be.

QPSK modulations
Below an interesting  4 Media Code Frame slots transmission (Fig. 4). Each Media Code Frame (270 symbols, 112.5ms) seems composed of 3 packages with 60 data and 30 probes (Fig. 5)

Fig. 4 - 4 Media Code Frame slots
Fig. 5 - Traffic Waveform composed of 3 packages
In Fig.6 is shown a Media Code Frame that uses a Traffic Waveform composed of only 1 package (TWF 1-7) followed by a 3 packages Traffic Waveform (37.5ms).

Fig. 6

8PSK modulations
In this sample the Media Code Frame uses a Traffic Waveform composed of two packages (Fig. 7)

Fig. 7 - 2 packages Traffic Waveform

As verified by KarapuZ, all the analyzed signals have the same preamble: here below, Figs. 8 and 9, an example of two signals (8PSK and QPSK)

Fig. 8
Fig. 9
(to be continued)

10 June 2018

CIS-12 TDoA measurements using GPS time-stamped IQ samples from KiwiSDRs

TDOA (Time Difference Of Arrival), also known as multilateration, is a well-established technique for the geolocation of RF emitters. Using three or more receivers, TDOA algorithms locate a signal source from the different arrival times at the receivers.
In this case, TDoA measurements are related to a CIS-12 signal (modem AT-3004D) spotted this morning on 11414.0 KHz/usb and use GPS time-stamped IQ samples from four KiwiSDRs: F1JEK (JN05hs, southwestern France), SV3EXP (KM07qx, west Greece), UR5VIB (KN68DL, central Ukriane) and KHIMKI (KO85qw, near Moscow city Russia). 
Cross correlations suggest the Crimean peninsula as the area of Tx antenna. Since CIS-12 is widely used by Rus-Ny, it's quite reasonable to assume that the Tx be in Sevastopol, Black Sea fleet HQ. Note the scattering in the correlations involving the French SDR (F1JEK) which are due to multipath propagation.


Plots are obtained using my (old) Ubuntu 12.06 LTS updated to gcc 6.6 and gnuplot 4.4; TDoA algorithms implemented by Christoph mayer:
and GNU Octave, scientific programming language, version 4.4:

5 June 2018

Nokia msg terminal + Tadiran HF equipment

Transmission picked up some days ago by my friend AngazU using the SM2BYC Kiwi sdr. The signal is composed of an initial tone followed by a preamble consisting of F7B modulation (apparently MFSK-4) and two simultaneous FSK modulations (Fig. 1). As suggest by cryptomaster and KarapuZ, this is an interesting example of a Nokia Adaptive MSG Terminal which is used along with a Tadiran HF equipment that presumably provides an active noise cancellation feature.

Fig. 1 - waveforms
The upper FSK 125Bd/290 delivers the same 84-bit pattern and it's interesting to note that the last 84-bit sequence is sent in opposite polarity:  perhaps signalling the last group/block of data (sent in the lower FSK).  The same parameters (FSK and 84-bit pattern length) has been discussed here in radioscanner:
Although, of course, we can be wrong because a specific description of this function was not found TADIRAN HF modems.

The lower FSK 300Bd/780, after the initial 1-0 sync sequence pattern, delivers data and seems to have a 16-bit period. After differential demodulation the stream exhibits 8 solid bits columns in a 16-bit period and once removed the stream does not have a clearly defined period (Fig. 2).

Fig. 2 - bitstreams
Cryptomaster is inclined to the Machester modulation but I get errors in both the phase conventions (G.E.Thomas and IEEE 802), and he pointed me that the signal has a constant preamble whicH is not coded using Manchester (Fig. 3) and causes mistakes in decoding.

Fig. 3

As for as I can see, the same F7B + FSK125Bd structure is sent first but without the lower FSK300Bd (Fig. 4). The patterns are the same in the two FSK125Bd streams, perhaps it is used to initialize the (supposed) Tadiran noise blanker function?


3 June 2018

MIL 188-110C App.D: 9KHz/7200Bd & 12KHz/9600Bd

9KHz/7200Bd & 12KHz/9600Bd WBHF waveforms spotted on 9 MHz band. Both the ACFs show a value of 120ms that corresponds to 864 symbols for the 7200 Bd waveform (768 uk + 96k) and 1152 symbols for the 9600 waveform (1024 uk + 128 k).

The extra spikes in ACF diagrams, more evident in CCF, in my guess are due to the cyclically rotated version of the mini-probe which is utilized to identify the long interleaver block boundary (MIL 188-110D #D.5.2.2). Note that 2 data block make 4608-bit blocks (768x2x3) and 21 data blocks make 64512-bit block (1024x21x3), therefore the CCF spikes are related since 64512/4608=14


30 May 2018


Finally a useful and fast tool to check the presence of T207 encoding in FSK bitstreams. The tool T207_test runs on Octave, a programming language for scientific computing, and was originally - and roughly - coded by me and then optimized and speeded-up by Christoph:

 Below an example where T207_test is successfully used on a 6 x 100Bd/120 VFT:  

The script builds a n x 14 test matrix and for each row computes the number of "1" bits in the first 12 columns; then check if the 13-14 bits value is the one expected according to the table below. Since the 2-bit 'checksum' can occur everywhere within the 14-bit frame, the stream is shifted up to 14 times building a new test matrix at each shift. The script counts the success checks for each test matrix and display the results. The better test matrix is also plotted along the frame start offset (ie after how many shifts).

25 May 2018

NATO naval broadcast and KW-46 encryption

This post follows up and completes the one of Christoph where he noticed the presence of LFSR delimited 7-bit frames in STANAG-4285 payloads. 
Given that: 

1) the HF waveform STANAG-4285 is largely used for NATO naval broadcasts;

2) the markers consist of the bits of pseudo-random sequence generated by the polynomial x^31+x^3+1, as specified by STANAG-5630 and already seen in FSK 50Bd/850;

3) those bits (termed "Fibonacci bits") are used by KW-46 cryptographic equipment to provide  synchronization; 

we can assume that NATO naval broadcasts are secured with KW-46 encryption. 

We analyzed several STANAG-4285 transmissions in both 600L and 1200L sub-modes picked up in well-known frequencies (belonging to British, Danish, Dutch, French, German, Norwegian and Spanish Navy) as:
1200L_10186.2, 1200L_10264.1, 1200L_13410.1, 1200L_7554.6, 1200L_9095.0, 600L_10733.3, 600L_12958.3, 600L_13057.7, 600L_5361.8, 600L_8170.2, 600L_8408.2, 600L_8612.2, 660L_11538.3 (all USB)
and in all we verified the presence of the Fibonacci bits.

STANAG-4285 bitstreams after deinterleaving and convolutional decoding
Fibonacci bits (before descrambling) 

By the way, NATO naval broadcast consists of a continuous coded stream of data which is typically be transmitted over multiple HF frequencies at the same time, providing an uninterrupted data flow from shore to ships. In the absence of messages to be transmitted, "jam" messages (pseduo-random chars) is injected into the data stream.

28 May update
NATO RATT (4481-F) 75Bd/850, same story as above, ie:
"taps" 1000000000000000000000000000100 = polynomial x^31+x^3+1 = FW-46 encryption. 
This stream has been processed using Octave scripts and Christoph's C++ code.